Fortinet black logo

Administration Guide

Home FortiEDR/XDR 5.1.0 Administration Guide
5.1.0
6.2.0
6.0.0
5.2.1
5.2.0
5.1.0
5.0.0
4.2.0
4.1.1
4.1.0

IoT Device Discovery

IoT Device Discovery

IoT device discovery enables you to continuously perform discovery to identify newly connected non-workstation devices in the system, such as printers, cameras, media devices and so on. During the discovery process, each relevant Collector in the system periodically probes all its nearby neighboring devices. Most nearby devices will respond to these requests by pinging the originating Collector device and providing information about itself, such as its device/host name (for example, ABC PC, Camera123), IP address and so on.

Such discovered devices can be seen in the IOT DEVICES page, as described in IoT Devices.

Note – The following default configuration applies to IoT scans by the FortiEDR Collectors:

  • For operational reasons, Collectors that are running on servers or Collectors that are reported to be in one of the following states: degraded, disabled or isolated Collectors do not take part in the IoT probing process.
  • In order to refrain from scans on home or other non-enterprise networks, only subnets in which there is a minimal number of Windows Collectors are scanned in order to find Connected IoT devices.
  • Extremely large subnets are excluded from scans.

If needed, in order to tune the scans to be more comprehensive and more granular, contact Fortinet Support who will change the default configuration.

To enable IoT device discovery, check the Perform ongoing device discovery checkbox. Note that when doing so, all relevant Collectors in the system perform sniffing in order to identify new connected devices in the system. When performing this discovery process, FortiEDR uses only the most powerful Collectors in each sub-network to perform sniffing, and excludes weaker Collectors for this process (disabled and degraded Collectors). This means that FortiEDR collects all the required information in the most efficient manner possible.

You can exclude specific Collector Groups from this discovery process. To do so, select the relevant Collector Group(s) in the Exclude Collector Groups dropdown list.

By default and when your organization has more than a single external IP address, FortiEDR ignores the external IP address of the IoT device while identifying and matching them. You can choose to list devices that use different external IP addresses separately by unchecking the checkbox next to the Consider devices with different external IP(s) as separated ones option. However, in this case the same device might be listed more than once in the IoT inventory page.

The Inventory Auto Grouping option enables you to group discovered devices by device type. For example, cameras, network devices, media devices, printers and so on. Select the Category option in the dropdown list to group discovered devices by device type or None. When you select Category, devices are auto-grouped in the IOT DEVICES page, as shown onIoT Devices

Click the Save button to save the configuration.

We recommend testing IoT the device discovery process to ensure that it works as expected across all your organizations before enabling the on-going periodic network scan. Testing can only be performed when IoT device discovery is not enabled, meaning the Perform ongoing device discovery checkbox is not checked. Select the Collector to use to test the IoT device discovery process in the Ad Hoc Network Discovery dropdown list and then click the Test button, as shown below.

The selected Collector sniffs the network once to identify new connected devices. After the test discovery process begins, you can stop it at any time by clicking the Stop button. In all cases, the scan will be stopped within a predefined time period (usually 30 minutes).

Previous
Next

IoT Device Discovery

IoT device discovery enables you to continuously perform discovery to identify newly connected non-workstation devices in the system, such as printers, cameras, media devices and so on. During the discovery process, each relevant Collector in the system periodically probes all its nearby neighboring devices. Most nearby devices will respond to these requests by pinging the originating Collector device and providing information about itself, such as its device/host name (for example, ABC PC, Camera123), IP address and so on.

Such discovered devices can be seen in the IOT DEVICES page, as described in IoT Devices.

Note – The following default configuration applies to IoT scans by the FortiEDR Collectors:

  • For operational reasons, Collectors that are running on servers or Collectors that are reported to be in one of the following states: degraded, disabled or isolated Collectors do not take part in the IoT probing process.
  • In order to refrain from scans on home or other non-enterprise networks, only subnets in which there is a minimal number of Windows Collectors are scanned in order to find Connected IoT devices.
  • Extremely large subnets are excluded from scans.

If needed, in order to tune the scans to be more comprehensive and more granular, contact Fortinet Support who will change the default configuration.

To enable IoT device discovery, check the Perform ongoing device discovery checkbox. Note that when doing so, all relevant Collectors in the system perform sniffing in order to identify new connected devices in the system. When performing this discovery process, FortiEDR uses only the most powerful Collectors in each sub-network to perform sniffing, and excludes weaker Collectors for this process (disabled and degraded Collectors). This means that FortiEDR collects all the required information in the most efficient manner possible.

You can exclude specific Collector Groups from this discovery process. To do so, select the relevant Collector Group(s) in the Exclude Collector Groups dropdown list.

By default and when your organization has more than a single external IP address, FortiEDR ignores the external IP address of the IoT device while identifying and matching them. You can choose to list devices that use different external IP addresses separately by unchecking the checkbox next to the Consider devices with different external IP(s) as separated ones option. However, in this case the same device might be listed more than once in the IoT inventory page.

The Inventory Auto Grouping option enables you to group discovered devices by device type. For example, cameras, network devices, media devices, printers and so on. Select the Category option in the dropdown list to group discovered devices by device type or None. When you select Category, devices are auto-grouped in the IOT DEVICES page, as shown onIoT Devices

Click the Save button to save the configuration.

We recommend testing IoT the device discovery process to ensure that it works as expected across all your organizations before enabling the on-going periodic network scan. Testing can only be performed when IoT device discovery is not enabled, meaning the Perform ongoing device discovery checkbox is not checked. Select the Collector to use to test the IoT device discovery process in the Ad Hoc Network Discovery dropdown list and then click the Test button, as shown below.

The selected Collector sniffs the network once to identify new connected devices. After the test discovery process begins, you can stop it at any time by clicking the Stop button. In all cases, the scan will be stopped within a predefined time period (usually 30 minutes).

Previous
Next